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Abstract. Currently, short signature is receiving significant attention 
since it is particularly useful in low-bandwidth communication environ- 
ments. However, most of the short signature schemes are only based 
on one intractable assumption. Recently, Su presented an identity-based 
short signature scheme based on knapsack and bilinear pairing. He claimed 
that the signature scheme is secure in the random oracle model. Unfor- 
tunately, in this paper, we show that his scheme is insecure. Concretely, 
an adversary can forge a valid signature on any message with respect to 
any identity in Su's scheme. 
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1 Introduction 

In traditional public key cryptosy stems, a digital certificate which guarantees 
the authenticity of the relationship between a public key and its owner needs to 
be produced by a Certification Authority (CA). It brings the certificate man- 
agement problem since such a system requires a large amount of computing 
and storage cost to deal with distribution, verification, renewal and storage of 
the certificates. To overcome this problem, Shamir pj introduced the concept 
of identity-based (ID-based) public key cryptography in 1984. In this setting, 
a user's public key can be determined by his identity (e.g., his name or email 
address) and his secret key is generated by a trusted third party called the 
Private Key Generator (PKG). Therefore, ID-based cryptosystem is more con- 
venient than traditional one and carries great weight in cryptography research 
community. 

Currently, ID-based short signature is receiving significant attention since it 
is particularly useful in low-bandwidth communication environments. However, 
most of the existing short signature schemes are only based on one intractable 
assumption, such as bilinear pairing [21314) and RSA [5]. Recently, to enhance 
the security of short signatures, Su [6] presented an ID-based short signature 
scheme based on knapsack and bilinear pairing. He claimed that his scheme is 
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provably secure in the random oracle model. Unfortunately, in this paper, we will 
show that an adversary can forge a signature on any message in Su's signature 
scheme. That is Su's scheme is not secure. 

The rest of this paper is organized as follows. In Section 2, we present some 
preliminaries used throughout the paper. We review Su's enhanced short sig- 
nature scheme in Section 3 and analyze its security in Section 4, respectively. 
Finally, we conclude this paper in Section 5. 

2 Preliminaries 

2.1 Bilinear pairing 

Let Gi and G 2 be two cyclic groups of the same prime order q. We will view Gi 
as an additive group and G2 as a multiplicative group. A bilinear pairing is a 
map e : Gi x Gi — > G2 with the following three properties. 

1. Bilinearity: For all a, b G Z and P, Q e Gi, the map e : Gi x Gi ->■ G 2 
satisfies e{aP,bQ) = e{P,Q) ab . 

2. Non-degeneracy: There are P, Q E Gi such that e(P, Q) ^ 1. 

3. Computability: There exists an efficient algorithm to compute e(P, Q) for all 
P,Q e Gi. 

2.2 Knapsack problem 

The knapsack problem or subset-sum problem is to determine, given a set of 
positive integers W = {w\,W2, • ■ • ,w n ,t}, whether there is subset of the set 
{wi}f =1 such that it sums to t. Formally, the problem is equivalent to determining 
whether there is a set X — {x\, x 2 , • • • , x n } such that 



2.3 ID-based signatures 

An ID-based signature scheme consists of the following four probabilistic polynomial- 
time algorithms: 

Setup. On input a security parameter k, the PKG generates a master secret 
key MSK and the public parameters PP. 

Extract. On input a user's identity ID and the master secret key MSK, this 
algorithm outputs a secret key skm for ID. The user's public key is deter- 
mined by his identity ID. 

Sign. On input a message m and the secret key skm of the signer ID, this 
algorithm outputs a signature a on m. 

Verify. On input a signature a, a message m and an identity ID, it returns 1 
if a is a valid signature, and returns otherwise. 



n 




3 Review of Su's signature scheme 



In this section, we review Su's signature scheme [6j. The scheme is described as 
follows: 

Setup. Given a security parameter k, the PKG chooses two groups Gi and G2 
of the same prime order q as well as a bilinear map e : Gi x Gi — > G2. It 
also chooses a random generator P of Gi, the master secret key s G Z* and 
a hash function H : {0, 1}* — > Z*. Afterwards, the PKG sets Qs = sP as 
the master public key of the system and publishes the public parameters 
PP = (Gx.Ga.e, P,Qs,H). 

Extract. On input the master secret key s and an identity ID G {0, 1}*, the 
user with identity ID G Z* chooses a random value skju G Z* as his secret 
key and publishes his public key Qid = ID x skm x Qs- 

Sign. On input a message m G {0,1}*, the signer ID with private key skjn 
does the following steps: 

1. Choose two random vectors B = (&iP,&2-P, ■ ■ ■ ,b n P) and = (x±,X2, ••• , 
where h £ Z*, af< G {0, 1}. 

2. Compute a; = bi x sfc/u (mod g) for each i G {1, ■ ■ • , n}. 

3. Compute U = Y^i=i x i^iP and V = AJ^Li x i a iP, where A = H{m). 

4. Output the signature a — (U, V). 

Verify. On input a signature a — (U, V), a message m and an identity ID as 
well as the corresponding public key Qid, a verifier computes A = H(m) 
and then checks if 

e(U,Q ID ) x = e(V,Q s ) ID . 
If so, he accepts the signature; otherwise, he rejects it. 
The correctness of the signature can be verified as follows: 

n 

e(U,Q ID ) x = e(£xibiP,ID X sk ID x Q s ) x 

i=l 
n 

= e{Y / x l a l P,IDxQ s ) x 

i=l 
n 

= e{\Y / x l a l P,Q s ) ID 

i=l 

Remark 1. We can see that, in Su's signature scheme, a verifier cannot confirm 
a user's public key from its identity since the user's public key involves a ran- 
dom secret value. Therefore, Su's signature scheme is not a standard ID-based 
signature scheme. 

Remark 2. We also note that Su's scheme is not a certificateless signature 
scheme [Tj- In a certificateless signature scheme, the secret key of a user is a 
combination of his partial private key generated by the PKG and some secret 
value chosen by the user himself. 



4 Security analysis on Su's signature scheme 



Su [5] claimed that his signature scheme is secure in the random oracle model. 
However, he didn't give a formal proof of the scheme. In this section, we will 
present two forgery attacks on his signature scheme and show that his scheme is 
insecure. In the first attack, a polynomial time adversary A, who has received a 
valid signature with respect to the user with identity ID, can forge a signature 
on any new message for the same user ID. In the second attack, we will show 
that the adversary A is also able to forge a signature on any message for a new 
user ID'. 



4.1 Attack I 



Assume that the adversary A aims to forge a signature on m* with respect 
to the user with identity ID. After receiving ID's valid signature a — (U, V) 
on message to. A makes two hash queries to obtain the values A = H(m) and 
A* = H{m*). Then he sets U* = U and V* = ^-V, and outputs a* = (U*,V*) 
as a signature on to*. We can verify its validity as follows: 



e(V*,QsY D =e(-V,Q s ) 1D 

= (e(V,Q S ) ID )^ 

= (e(U,Q ID ) x )^ 
= e(U,Q ID f 
= e(U*,Q ID ) x " 



4.2 Attack II 



Due to there is no authentication information for a user's public key, an adversary 
can replace any user's public key with a value of his choice. Here we show that 
the adversary A is also able to forge a signature on to* with respect to another 
identity ID'. 

After receiving 7Z3's valid signature a — (U, V) on message to. A makes two 
hash queries to obtain the values A = H(m) and A* = H(m*). Then he sets 
Qid> = %-Qid, U* = U and V* = ^-V, and outputs a* = (U*,V*) as a 
signature on to* with respect to the user ID' . We can verify the validity of the 



signature as follows: 

e(V*,Q s ) 



The two attacks demonstrate that, in Su's signature scheme, anyone can forge 
a valid signature on any message with respect to any identity as long as he has 
obtained one valid signature. Therefore, Su's signature scheme is not secure. 

5 Conclusion 

Recently, Su J6] presented an enhanced short signature scheme and claimed that 
it is secure in the random oracle model. In this paper, however, we have demon- 
strated that an adversary can forge a signature on any message with respect to 
any identity. In other words, Su's signature scheme is not secure. 
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